Forum Discussion
Azure Advanced Threat Protection service failing to start after installing November MS Patches
MicrosoftWe've seen several cases where the sensors failed because of the November updates and how they affect Kerberos and gMSAs in particular.
There's some information in the links below (please note that those are not Microsoft official docs), but the best approach would be for you to open a support ticket and get the best solution for your environment.
Windows Kerberos authentication breaks after November updates (bleepingcomputer.com)
Thanks for the helpful info.
I confirmed we're receiving the event id 14 for the atp group managed service account as outlined here:
https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentication-breaks-after-november-updates/
event id 14:
While processing an AS request for target service krbtgt, the account %OURGMSAUSEDWITHATP%$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 23 24 -135 3. The accounts available etypes : 23 18 17. Changing or resetting the password of %OURGMSAUSEDWITHATP%$ will generate a proper key.
--
It doesn't look like there's a way to force a password change on a gmsa to see if this message is actually accurate. The time change is hardcoded at creation (30 days) (https://social.technet.microsoft.com/Forums/en-US/d08bdb51-81f4-4368-9213-33a969e1b29b/powershell-cmdlet-to-reset-gmsa-password?forum=ITCG)
Maybe we can create a new gmsa and test it with atp? Would this work or is the message not accurate?
It says that Microsoft is working on a fix for this issue and it will be released in the next few weeks.
- Microsoft released a updated CU to resolve this issue: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-kerberos-auth-issues-in-emergency-updates/
